I'm a privacy pragmatist, writing about the intersection of law, technology, social media and our personal information. If you have story ideas or tips, e-mail me at khill@forbes.com. PGP key here.
These days, I'm a senior online editor at Forbes. I was previously an editor at Above the Law, a legal blog, relying on the legal knowledge gained from two years working for corporate law firm Covington & Burling -- a Cliff's Notes version of law school.
In the past, I've been found slaving away as an intern in midtown Manhattan at The Week Magazine, in Hong Kong at the International Herald Tribune, and in D.C. at the Washington Examiner. I also spent a few years traveling the world managing educational programs for international journalists for the National Press Foundation.
I have few illusions about privacy -- feel free to follow me on Twitter: kashhill, subscribe to me on Facebook, Circle me on Google+, or use Google Maps to figure out where the Forbes San Francisco bureau is, and come a-knockin'.

Your Phone Number Is Going To Get A Reputation Score

The report Telesign will generate for every phone number. Hopefully yours doesn't look like this one.

Telesign is one of those companies that you’ve probably never heard of but that provides services you likely use on a regular basis, especially if you have two-factor authentication set up for any of your online accounts. Based out of L.A.’s “Silicon Beach,” Telesign helps companies verify that a mobile number belongs to a user (sending those oh-so-familiar “verify that you received this code” texts) and takes care of the mobile part of two-factor authenticating or password changes. Among their over 300 clients are nine of the ten largest websites in the U.S., says Telesign’s CEO Steve Jillings, though he’s shy about naming them (at least on the record). He says that fraudulent and fake accounts are greatly reduced for customers who require a mobile number be attached to an account.

The company has had massive growth over the last three years thanks to online security concerns and breaches. Communication companies such as GoogleGoogle, FacebookFacebook and Twitter have famously enabled two-factor authentication. “The tide turned when Google started offering two-factor in 2010. When free email providers started doing two-factor, a lot of people asked why their financial services weren’t doing the same thing,” says Jillings, a tall New Zealander whose accent has faded thanks to years spent in the U.S., including a stint heading an email security company that did spam detection that sold to MicrosoftMicrosoft in 2005 for $200 million.

Now Telesign wants to leverage the data — and billions of phone numbers — it sees deals with daily to provide a new service: a PhoneID Score, a reputation-based score for every number in the world that looks at the metadata Telesign has on those numbers to weed out the burner phones from the high-quality ones. Yes, there’s yet another company out there with an inscrutable system making decisions about you that will effect the kinds of services you’re offered.

“Companies simply send a user’s phone number to TeleSign via its REST API to receive a real-time score, risk level and a recommendation,” says the company in a press release. “TeleSign’s clients use this predictive data to prevent scammers and fraudsters from abusing services such as creating fake accounts, and for approving online transactions with greater confidence.”

“We each have a unique mobile identity tied to our phone number that is linked to a wealth of information, from where we live to our online activities. This makes the phone number the most efficient and conclusive method to identify fraud online,” said Telesign’s CTO Charles McColgan in the release. “PhoneID Score introduces a new way for companies to quickly verify transactions, block fake accounts, and prevent eCommerce fraud, based simply on a phone number.”

Telesign sees phone numbers as a replacement for social security numbers — a form of identification that can be instantly verified (thanks to your holding it in the hand), that comes with details about who owns it, what kind of phone it is (land line, mobile, VOIP, etc), how long they’ve had it, where they get their service, and which companies and apps they’re attached to.

The Telesign rating system

I asked the company to score me and a few of my colleagues to get a sense of how this will work. The range is 0 to 1000, with 0 being a gold iPhone and 1000 being a burner phone that’s only used to order drugs and kill people. Luckily, none of us got that latter score. My office landline scored a 100. Two of us got 10s for our mobiles, and two others got a 200. I also got to see where all of the numbers had been registered and who provided their service.

These are all high quality scores, says Jillings, who explained that anything below 200 will tell a company to roll out the red carpet for you. He didn’t seem to think the differences in the scores mattered and could not explain what might account for the 10 – 200 range, though one of those 200-scored accounts is less than a year old. Between 400 and 600 would lead to a fuller review, and anything over 600 would be flagged as a potentially fraudulent or abusive account, and likely blocked from signing up for that service. So what determines the score?

Telesign pulls where the phones were registered and who provides the service. The older an account is, the better. And if the number shows up as attached to legitimate accounts with companies, apps, and websites to which Telesign provides services, that’s a good thing. Having a newly-opened account results in a lower score, or using a less-well known carrier, or having a number that’s not registered with some of the customers for which this company does two-factor authentication.

Jillings emphasizes that they’re not directly using their clients’ data, but they are using the metadata around numbers. If for example, a particular number applies for accounts rapid fire with a bunch of their clients, that’s a bad sign. Their clients also contribute data back to their network, such as known fraud associated with a particular number.

Jillings also says that because Telesign is a a mobile network operation licensed out of UK, it gets access to network oriented data. “If I’m roaming in France, for example,” says Jillings,” the French operator can do a network analysis to see if that’s a pre-paid account or not before deciding to put a call through to it. We’re using that data with a different spin.”

It’s a self-serving prediction, but Jillings thinks there will be a time when every account will require an associated mobile phone number, in which case Telesign’s scoring system will be important.

“The current user name/password system is broken,” says Jillings. “Eventually the mobile phone as authenticator of identity will be everywhere, because it’s immediately verifiable. You’ll have to provide your phone number for every site.”

Post Your Comment

Post Your Reply

Forbes writers have the ability to call out member comments they find particularly interesting. Called-out comments are highlighted across the Forbes network. You'll be notified if your comment is called out.

Jason Polancich at HackSurfer said that banks could significantly reduce fraud with two-factor authentication using phones, but banks’ market studies have persuaded them consumers see this as an inconvenience, and banks want to keep consumers spending. See my recent story http://www.forbes.com/sites/tomgroenfeldt/2013/11/04/hackers-collaborate-now-white-hats-can-share-cyber-crime-info/

Yes and no. Remember, the more that is known about us and “linked,” the more can be used against us in the future. The real question is this: WHO do we really need to protect ourselves from and WHO can we trust? The answers are everyone and no one.

Not everyone has a phone period. I was buying online today from a company that required a phone number at checkout so I simply found a company that didn’t. I send payments overseas through HSBC as they provide a safer, encrypted SecuRemote card, rather than my main bank who require annoying phone ID, netting the former £17 a time at the expense of the latter. Once companies see that this will cost them customers it will get dropped, the exception may be ‘free’ services such as email accounts.